Key Difference Invariant Bias in Block Ciphers

Similar documents
Integrals go Statistical: Cryptanalysis of Full Skipjack Variants

Linear Cryptanalysis of Reduced-Round PRESENT

Zero-Correlation Linear Cryptanalysis with Fast Fourier Transform and Applications to Camellia and CLEFIA

Improved Meet-in-the-Middle Attacks on Reduced-Round Camellia-192/256

Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock

Integral and Multidimensional Linear Distinguishers with Correlation Zero

Linear Cryptanalysis. Kaisa Nyberg. Department of Computer Science Aalto University School of Science. S3, Sackville, August 11, 2015

Type 1.x Generalized Feistel Structures

FFT-Based Key Recovery for the Integral Attack

On Distinct Known Plaintext Attacks

Improved Impossible Differential Cryptanalysis of Rijndael and Crypton

Impossible Differential-Linear Cryptanalysis of Reduced-Round CLEFIA-128

Experiments on the Multiple Linear Cryptanalysis of Reduced Round Serpent

Differential-Linear Cryptanalysis of Serpent

Differential Attack on Five Rounds of the SC2000 Block Cipher

Improved Linear (hull) Cryptanalysis of Round-reduced Versions of SIMON

Extended Criterion for Absence of Fixed Points

How Biased Are Linear Biases

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Related-Key Rectangle Attack on Round-reduced Khudra Block Cipher

Introduction on Block cipher Yoyo Game Application on AES Conclusion. Yoyo Game with AES. Navid Ghaedi Bardeh. University of Bergen.

Cryptanalysis of the Full DES and the Full 3DES Using a New Linear Property

Some attacks against block ciphers

A Brief Comparison of Simon and Simeck

A Five-Round Algebraic Property of the Advanced Encryption Standard

Security of the SMS4 Block Cipher Against Differential Cryptanalysis

Towards Provable Security of Substitution-Permutation Encryption Networks

Impossible Differential Attacks on 13-Round CLEFIA-128

New Observations on Impossible Differential Cryptanalysis of Reduced-Round Camellia

New Results in the Linear Cryptanalysis of DES

Algebraic Techniques in Differential Cryptanalysis

Distinguishing Attacks on a Kind of Generalized Unbalanced Feistel Network

Multivariate Linear Cryptanalysis: The Past and Future of PRESENT

jorge 2 LSI-TEC, PKI Certification department

S-box (Substitution box) is a basic component of symmetric

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Security of the AES with a Secret S-box

Linear Cryptanalysis of Reduced-Round Speck

Invariant Subspace Attack Against Midori64 and The Resistance Criteria for S-box Designs

Division Property: a New Attack Against Block Ciphers

Improved Multiple Impossible Differential Cryptanalysis of Midori128

Links Between Truncated Differential and Multidimensional Linear Properties of Block Ciphers and Underlying Attack Complexities

A New Technique for Multidimensional Linear Cryptanalysis with Applications on Reduced Round Serpent

Experimenting Linear Cryptanalysis

Linear Cryptanalysis Using Multiple Linear Approximations

A Unified Method for Finding Impossible Differentials of Block Cipher Structures

Linear Cryptanalysis of RC5 and RC6

Links among Impossible Differential, Integral and Zero Correlation Linear Cryptanalysis

Table Of Contents. ! 1. Introduction to AES

Linear Cryptanalysis

Block Cipher Invariants as Eigenvectors of Correlation Matrices

Chapter 1 - Linear cryptanalysis.

Structural Evaluation by Generalized Integral Property

On Multiple Linear Approximations

Revisiting the Wrong-Key-Randomization Hypothesis

Linear Cryptanalysis of Long-Key Iterated Cipher with Applications to Permutation-Based Ciphers

Subspace Trail Cryptanalysis and its Applications to AES

Impossible differential and square attacks: Cryptanalytic link and application to Skipjack

Computing the biases of parity-check relations

Invariant Subspace Attack Against Full Midori64

Provable Security Against Differential and Linear Cryptanalysis

Improved Impossible Differential Attack on Reduced Version of Camellia-192/256

Block Cipher Cryptanalysis: An Overview

Analysis of cryptographic hash functions

Linear Hull Attack on Round-Reduced Simeck with Dynamic Key-guessing Techniques

Improved characteristics for differential cryptanalysis of hash functions based on block ciphers

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Automatic Search of Truncated Impossible Differentials for Word-Oriented Block Ciphers (Full Version)

Improved Differential-Linear Cryptanalysis of 7-round Chaskey with Partitioning

Revisit and Cryptanalysis of a CAST Cipher

Cryptanalysis of a Generalized Unbalanced Feistel Network Structure

Differential and Rectangle Attacks on Reduced-Round SHACAL-1

MILP-Aided Bit-Based Division Property for Primitives with Non-Bit-Permutation Linear Layers

Symmetric Crypto Systems

Practically Secure against Differential Cryptanalysis for Block Cipher SMS4

Cryptanalysis of the SIMON Family of Block Ciphers

Impossible Differential Cryptanalysis of Mini-AES

Improving the Time Complexity of Matsui s Linear Cryptanalysis

Low Complexity Differential Cryptanalysis and Fault Analysis of AES

Differential Cryptanalysis of the Stream Ciphers Py, Py6 and Pypy

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 9: Encryption modes. AES

Differential Cryptanalysis and Boomerang Cryptanalysis of LBlock

Sieve-in-the-Middle: Improved MITM Attacks (Full Version )

On Feistel Ciphers Using Optimal Diffusion Mappings Across Multiple Rounds

New Insights on AES-Like SPN Ciphers

Low-weight Pseudo Collision Attack on Shabal and Preimage Attack on Reduced Shabal-512

Siwei Sun, Lei Hu, Peng Wang, Kexin Qiao, Xiaoshuang Ma, Ling Song

Similarities between encryption and decryption: how far can we go?

LOOKING INSIDE AES AND BES

Differential Fault Analysis of AES using a Single Multiple-Byte Fault

Structural Evaluation of AES and Chosen-Key Distinguisher of 9-round AES-128

Cryptanalysis of SP Networks with Partial Non-Linear Layers

Low Probability Differentials and the Cryptanalysis of Full-Round CLEFIA-128

Zero-Sum Partitions of PHOTON Permutations

Symmetric Crypto Systems

Introduction to Symmetric Cryptography

AES side channel attacks protection using random isomorphisms

Cryptanalysis of the Light-Weight Cipher A2U2 First Draft version

On the Wrong Key Randomisation and Key Equivalence Hypotheses in Matsui s Algorithm 2

Improved Conditional Cube Attacks on Keccak Keyed Modes with MILP Method

Transcription:

Key Difference Invariant Bias in Block Ciphers Andrey Bogdanov, Christina Boura, Vincent Rijmen 2, Meiqin Wang 3, Long Wen 3, Jingyuan Zhao 3 Technical University of Denmark, Denmark 2 KU Leuven ESAT/SCD/COSIC and iminds, Belgium 3 Shandong University, Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan 25000, China Abstract. In this paper, we reveal a fundamental property of block ciphers: There can exist linear approximations such that their biases ε are deterministically invariant under key difference. This behaviour is highly unlikely to occur in idealized ciphers but persists, for instance, in 5-round AES. Interestingly, the property of key difference invariant bias is independent of the bias value ε itself and only depends on the form of linear characteristics comprising the linear approximation in question as well as on the key schedule of the cipher. We propose a statistical distinguisher for this property and turn it into an key recovery. As an illustration, we apply our novel cryptanalytic technique to mount related-key attacks on two recent block ciphers LBlock and TWINE. In these cases, we break 2 and 3 more rounds, respectively, than the best previous attacks. Keywords: block ciphers, key difference invariant bias, linear cryptanalysis, linear hull, key-alternating ciphers, LBlock, TWINE Introduction. Linear cryptanalysis, linear approximations, and bias Linear cryptanalysis is a central and indispensable attack on block ciphers. Having been proposed as early as in 992 [23 25], it forms an established research field within symmetric-key cryptology. Since then, many interesting results have been obtained in the area, among others including correlation matrices by Daemen et al. [8], multiple linear cryptanalysis by Kaliski and Robshaw [5], linear hull effect by Nyberg [29], multidimensional cryptanalysis by Hermelin et al. [3], comprehensive bounds on linear properties by Keliher and Sui [8], as well as success probability estimations by Selçuk [35]. The basis of linear cryptanalysis is a linear approximation of a function f. If the linear approximation holds with probability /2 + ε, ε is called its bias. A linear approximation can comprise numerous linear characteristics θ, each contributing their linear characteristic bias ε θ to the linear approximation bias ε. All authors are corresponding authors.

There are essentially two standard approaches to deal with the key-dependency of these biases: they are either averaged over all keys or evaluated for a fixed key. Both cases have been studied in great detail and these approaches have turned out to be very fruitful: While the average behaviour of the bias is vital to the foundations of linear cryptanalysis and the demonstration of the linear hull effect, Murphy has demonstrated [27] that there can be keys for which the linear distinguisher might not apply. The latter observation is more inline with the fixed-key correlation-matrix approach, which also, among others, has lead to zero-correlation attacks by Bogdanov et al. [3 5] and improved linear attacks on PRESENT by Cho [6]. Apart from the average case and the fixed-key case, recently, Abdelraheem et al. [] have managed to compute the distribution of linear characteristic bias for several interesting examples. Moreover, there has been quite some interest towards deducing key information from the value of the bias [7,28,30]. Kim [9] studies the combined related-key linear-differential attacks on block ciphers. Interestingly, a linear-hull version of Matsui s Algorithm by Röck and Nyberg [32] uses the fact that, in some ciphers, the linear characteristic biases ε θ are the same for different keys. At the same time, much less is known about the even more fundamental question of how the bias ε of the entire linear approximation behaves under a change of key. This is not least due to the fact that the entire linear hull is notoriously difficult to analyze for the immense number of linear characteristics θ comprising it. In this paper, we tackle this problem and reveal a property for many block ciphers, namely, that the bias ε of a linear approximation can be actually invariant under the modification of the key..2 Our contributions The contributions of this paper are as follows. Bias invariant under key difference in iterative block ciphers. We investigate the bias of a linear approximation in key-alternating ciphers (iterative SPN ciphers with XOR addition of subkeys) under a change of the key. By looking at the composition of the fixed-key linear hull from individual characteristics, we derive a sufficient condition on the keys and linear approximations such that the bias remains unaffected by a change of key. The class of key-alternating ciphers is already broad enough to include AES, most of the other SPN ciphers, and some eistel ciphers. After recalling some background on linear cryptanalysis in Section 2, we describe these findings in Section 3. An instructive example with AES. With our technique, the key difference invariant bias property is easy to construct over (a part of) susceptible ciphers since it mainly depends on the differential diffusion in the key schedule and on the linear diffusion in the data transform of a cipher. We use AES to show how the property can be derived. Namely, we demonstrate a key difference invariant 2

bias property holding deterministically over 5 rounds of the original AES-256. This serves as a pedagogical illustration. See Section 3.3. Statistical distinguisher and generic key recovery. The probability to have the key difference invariant bias property in an idealized block cipher with block size n, is about 2π 2 3 n 2. This forms the basis for a statistical distinguisher that can be used for key recovery. Here, we use the fact that the key difference invariant bias property is actually truncated, i.e., there are many linear approximations with key difference invariant bias in most susceptible ciphers. In our distinguisher, for two keys, we compute the sample biases of a set of approximations with this property (using the part of the plaintext-ciphertext pairs available to the adversary) and test their collective proximity. We demonstrate that it is possible to efficiently distinguish this from an idealized cipher, under some basic independency assumptions. The distinguisher can be used for hash functions and block ciphers. In the related-key setting, we propose a key recovery procedure for block ciphers which is similar to Matsui s Algorithm 2. These techniques are given in Section 4. Applications to block ciphers LBlock and TWINE. As an illustration, we apply our new cryptanalytic technique of key difference invariant bias to the recently proposed block ciphers LBlock [39] and TWINE [37]. LBlock was designed by Wu et al. and presented in ACNS 20. Its state and key sizes are 64 and 80 bits respectively. LBlock has received the attention of many cryptographers and various attacks have been published so far on some reduced versions [6, 20 22, 26, 33, 34]. The best attack breaks 22 rounds of the cipher. TWINE is a block cipher proposed in SAC 202 by Suzaki et al. that is operating on a 64-bit state that is parameterized by keys of length 80 or 28 bits. The total number of rounds is 36. The best known attack on TWINE-28, is an impossible differential attack given in [37], that breaks 24 rounds of the cipher. We identify key difference invariant bias properties over 6 rounds of LBlock and 7 rounds of TWINE-28. This allows us to attack 24-round LBlock and 27-round TWINE-28 in the classical related-key model with differences in the user-supplied master keys. Thus, our attacks improve upon the state-of-the-art cryptanalysis for both LBlock and TWINE by breaking 2 and 3 more rounds, respectively, than the best previous attacks. Our cryptanalysis is provided in Sections 5 and Section 6. 2 Preliminaries 2. Key-alternating ciphers A block cipher operating on n-bit blocks with a k-bit key can be seen as a subset of cardinality 2 k of the set of all 2 n! permutations over the space of n-bit strings. In an idealized block cipher, this subset is randomly chosen. In all practical settings, however, one is concerned with efficiently implementable 3

block ciphers. So all block ciphers used in practice contain at their core the iterative application of r similar invertible transformations (called rounds). Keyalternating block ciphers form a special but important subset of the modern block ciphers (see igure ): Definition (Key-alternating block cipher [9]). Let each round i, i r, of a block cipher have its own n-bit subkey k i. This block cipher is keyalternating, if the key material in round i is introduced by XORing the subkey k i to the state at the end of the round. Additionally, the subkey k 0 is XORed with the plaintext before the first round. The r + round subkeys k 0, k,..., k r, k r build the expanded key K (of length n(r + ) bits) which is derived from the user-supplied key κ using a key-schedule algorithm ϕ. Numerous popular and widely used block ciphers belong to the class of key-alternating block ciphers. Among others, almost all SPNs (including AES) and some eistel ciphers are key-alternating []. κ plaintext x key schedule, ϕ : κ K =(k 0,k,...,k r) k 0 k k 2 k r k r... round round 2 round r ciphertext y ig.. Key-alternating cipher 2.2 Linear approximations and bias We briefly recall the concepts of linear approximations and bias. We denote the scalar product of binary vectors by a t x = n i= a ix i. Linear cryptanalysis is based on linear approximations determined by input mask a and output mask b. A linear approximation (a, b) of a vectorial function f has a bias defined by ε f a,b = Pr x {bt f(x) a t x} /2 to which we also refer simply as ε if its assignment to function and linear approximation is clear from the context. We call a linear approximation trivial if both a and b are zero. Otherwise, with both a 0 and b 0, it is non-trivial. 2.3 Linear characteristics and linear hulls A linear approximation (a, b) of an iterative block cipher (e.g. a key-alternating block cipher of Definition ) is called a linear hull in [29]. The linear hull contains all possible sequences of the linear approximations over individual rounds, with input mask a and output mask b. These sequences are called linear characteristics which we denote by θ. Now we recall the relations between the bias of a linear characteristic and the bias of the entire linear hull it belongs to, for key-alternating block ciphers. 4

Given a linear hull (a, b), a linear characteristic θ is the concatenation of an input mask a = θ 0 before the first round, an output mask b = θ r after the last round, and r intermediate masks θ i between rounds i and i: θ = (θ 0, θ,..., θ r, θ r ). () Thus, each linear characteristic consists of n(r + ) bits (cf. the length of the expanded key K). The bias ε θ of the linear characteristic θ is defined as the scaled product of the individual biases ε θi,θ i over each round: ε θ = 2 r r ε θi,θ i. i= In a key-alternating cipher, only the sign of ε θ depends on the key value, while the absolute bias value ε θ remains exactly the same for all keys. As a reference point, we denote by d θ {0, } the sign of the linear characteristic bias with expanded key K = 0: ε θ [0] = ( ) d θ ε θ. Now we formulate the following central proposition that deterministically connects the linear approximation bias with the individual linear characteristic biases through a fixed key value: Proposition ([9, Subsection 7.9.2]). or a key-alternating block cipher, the bias ε of a non-trivial linear hull (a, b) is ε = ( ) d θ+θ tk ε θ. θ:θ 0=a,θ r=b We will be relying on Proposition in the next section to determine when ε is invariant under a change of key. 3 Towards bias invariant under key difference or a non-trivial linear hull (a, b) of a block cipher, let ε and ε be two biases under two distinct keys κ and κ, respectively. Now we consider when ε = ε with κ κ, that is, when the bias is invariant under a change of key. 3. Key difference invariant bias in key-alternating ciphers In a key-alternating block cipher, let K and K be the expanded keys corresponding to two user-supplied keys κ and κ, K = ϕ(κ) and K = ϕ(κ ) for key schedule ϕ as in Section 2, such that K = K where the difference describes a connection between K and K. We will now derive a condition on and θ such that the value of linear approximation bias ε = ε is unaffected by the key change κ κ. 5

In a key-alternating cipher, the bias for an expanded key can be computed due to Proposition. That is: ε = ( ) d θ+θ tk ε θ and ε = ( ) d θ+θ t K ε θ. (2) θ:θ 0=a,θ r=b θ:θ 0=a,θ r=b We want to attain the equality ε = ε, so we study when both sides of (2) are equal: One can observe that the only part that is different are the signs of the individual linear characteristic biases. Therefore, the equation will hold if all the signs are equal, that is, if the following is satisfied for each θ: d θ + θ t K = d θ + θ t K. (3) Since d θ is the same, (3) holds if and only if θ t (K K ) = 0. Recalling that we denote K K by, we have the following statement: Theorem (Key difference invariant bias for key-alternating ciphers). Let (a, b) be a non-trivial linear hull of a key-alternating block cipher. Its biases ε for expanded key K and ε for expanded key K with K = K have exactly equal values ε = ε, if θ t = 0 for each linear characteristic θ of the linear hull (a, b) with ε θ 0. Theorem yields a sufficient condition on the relation between the masks of linear characteristics and the expanded key difference for the key difference invariant bias property to hold. We will deal with this in the next subsection. 3.2 Sufficient condition for key difference invariant bias or a fixed pair of keys K and K, the difference connecting them is also constant. At the same time, the linear masks θ will be different for each linear characteristic in the given linear hull (a, b). Thus, can be seen as a linear mask itself on θ that chooses certain positions in characteristics θ, cf. (). In a linear characteristic θ, we address each of the n(r + ) bits by θ(j), j =,..., n(r + ). We focus on bit positions θ(j) in linear characteristics θ such that θ(j) = 0 for all θ with ε θ 0. We call such positions zero positions. Otherwise, a position is called a nonzero position. Now we are ready to formulate a more explicit sufficient condition for deterministically keeping θ t = 0: Condition (Sufficient condition for key difference invariant bias) or a fixed non-trivial linear approximation (a, b) of a key-alternating block cipher, the relation between a pair of the user-supplied keys κ and κ is such that the expanded key difference = K K chooses an arbitrary number of zero positions and no nonzero positions in the linear characteristics θ of the linear hull, with ε θ 0. Once Condition is fulfilled, Theorem becomes applicable with θ t = 0 and yields ε = ε. In the next subsection, for instructive and pedagogical purposes, we show one example of key difference invariant bias property using Condition with AES. 6

3.3 The instructive example of AES Here we provide an illustration of the key difference invariant bias property for AES. The goal of this section is mainly pedagogical and we simply aim to show how such a property can be derived in practice. We demonstrate a key difference invariant bias property for reduced-round AES-256. We provide an example where Condition is satisfied, which in turn makes Theorem applicable. or AES-256, let the two user-supplied 32-byte keys be connected by 0 0 0 0 0 0 δ 0 κ κ = 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 (4) 0 0 0 0 0 0 0 0 with the first byte δ 0 of the 7-th column being the only non-zero byte. urthermore, let the (truncated) linear approximation be defined by the 6-byte input/output masks: a 0 0 0 b 0 0 0 0 0 0 0 0 0 0 0 a = 0 0 0 0 and b = 0 0 0 0 (5) 0 0 0 0 0 0 0 0. The masks define a linear hull for any non-zero byte values a and b. We show that the key difference (4) and the linear hulls (5) result in the key difference invariant bias property for 5 rounds of AES-256. The AES data transform diffuses a single-byte input mask to the full state only after two rounds. Analogously, a single-byte output mask applies to the full state only after three rounds of backward computations. This fact makes Condition applicable to AES. The byte positions involved into the propagation of linear patterns over 5 rounds of AES with a and b above as input/output masks are shown as in igure 2. Correspondingly, byte positions not involved are depicted as. Since AddRoundKey is addition with constant and MixColumns is an affine operation, one can exchange their order under the suitable modification of the subkey value. In this case, ShiftRows is followed directly by the modified AddRoundKey (AK ) which is the case in the last round of igure 2. We track the propagation of the difference in the user-supplied key to the expanded key difference which is shown as in igure 2. κ κ specified above satisfies Condition. In igure 2, all non-zero bytes of are only concentrated in impossible positions of θ and do not interfere with. Thus, ε = ε is fulfilled with probability and the key difference invariant bias property holds deterministically. 3.4 Key difference invariant bias and idealized cipher In random block ciphers, the bias ε under a fixed key is the bias for a fixed randomly drawn permutation. Using [0, Theorem 4.7], one can demostrate that 7

Expanded key difference Linear characteristics θ AK SB SR MC AK SB SR MC KS AK SB SR MC AK SB SR MC KS AK SB SR AK =non-activebytesin and θ =nonzerobytesincharacteristicsθ =nonzerobytesinkeydifference ig. 2. Key difference invariant bias for 5 rounds of AES-256 the probability for the biases with two different keys to be exactly equal is Pr{ε = ε κ κ } 2π 2 3 n 2 for block sizes n 5. Thus, the key difference invariant property for idealized block ciphers is a rare event, which yields a distinguisher for susceptible ciphers outlined in the next section. 4 Statistical distinguisher and key recovery with key difference invariant bias In this section, we present the statistical distinguisher based on the key difference invariant bias for an n-bit block cipher, followed by a generic key recovery procedure. 4. Distinguisher In the distinguisher, our aim is to tell if we deal with the target cipher featuring the property or an idealized cipher. The setup for the statistical test is as follows. Suppose that we are given N plaintext-ciphertext pairs and λ linear approximations under a pair of expanded keys (K, K ) connected by in the way described in Condition. Then, for each one of these linear approximations we compute and store in counters S i and S i, i λ, which account for the number of times these approximations are satisfied for K and K with the N texts. The counters S i and S i suggest empirical biases ˆε i = Si N 2 and ˆε i = S i N 2 respectively. We evaluate consequently the following statistic s: 8

s = λ i= [( Si N ) ( S i 2 N )] 2. 2 We expect the statistic s to be lower for the target cipher, featuring the key difference invariant bias property, than for a random cipher. As we aim to perform key-recovery with this test, we will derive the distribution of this statistic for the right key guess (assuming the target structure) and for the wrong key guess (assuming a random cipher). Right key guess. The empirical bias value ˆε i for the i-th linear approximation approximately follows the normal distribution with the exact value of bias ε i as mean and variance /4N with good precision (cf., e.g., [4, 35]) for sufficiently large N: ˆε i N (ε i, /4N). In this case, the following proposition holds: Proposition 2 (Distribution of statistic s for the right key). Consider λ nontrivial linear approximations for a block cipher under a pair of expanded keys (K, K ) connected by conforming to Condition. If N is the number of known plaintext-ciphertext pairs, S i and S i are the numbers of times such a linear approximation is fulfilled for K and K, respectively, i {,..., λ}, and λ is high enough, then, assuming the counters S i and S i are all independent, the following approximate distribution holds for sufficiently large N and n: s N ( λ 2N, Proof. See the full version of this paper [2]. λ 2N 2 ). Wrong key guess. In this case, we base upon the hypothesis that for a wrong key, we deal with a random cipher consisting of permutations drawn at random. Then, each of the values ˆε i can be approximated by a normal distribution with mean ε i and variance /4N for sufficiently large N: ˆε i N (ε i, /4N) with ε i N (0, /2 n+2 ), where ε i is the exact value of the bias which is itself distributed over n-bit random permutations for n 5 [0, 3]. Then we have then the following proposition for the distribution of the statistic s: Proposition 3 (Distribution of statistic s for the wrong key). Consider λ nontrivial linear approximations for two randomly drawn permutations. If N is the number of known plaintext-ciphertext pairs, S i and S i are the numbers of times a linear approximation is fulfilled for these two permutations, 9

i {,..., λ}, and λ is high enough, then, assuming the independency of all S i and S i, the following approximate distribution holds for sufficiently large N and n: ( λ s N 2N + λ 2 n+, λ 2N 2 + λ 2 2n+ + λ ) N2 n. Proof. See the full version of this paper [2]. Data complexity of distinguisher. In the two above cases, we have seen that the statistic s will follow, depending on if we deal with the right or the wrong key, two different normal distributions. In the first case, it follows the normal distribution with mean µ 0 = λ 2N and variance σ2 0 = λ 2N, while in the second 2 case it follows the normal distribution with mean µ = λ 2N + λ 2 and variance n+ λ 2N + λ 2 2 + λ 2n+ σ 2 = N2. It has to be decided if the obtained statistic s is from n N (µ 0, σ0) 2 or from N (µ, σ). 2 To do that, we perform a test that compares the statistic s to a threshold value τ. This test says that s belongs to N (µ 0, σ0) 2 if s τ and that s belongs to N (µ, σ), 2 otherwise. As in any statistical test, one has to deal with two types of error probabilities here. The first one denoted by α 0 is the probability to reject the right key, whereas the second one denoted by α is the probability to accept a wrong key. The decision threshold used is τ = µ 0 + σ 0 q α0 = µ σ q α, where q α and q α0 are the quantiles of the standard normal distribution N (0, ). This simple test is visualized in igure 3. τ right guess wrong guess α α 0 µ 0 µ ig. 3. Statistical test for key difference invariant bias in key recovery It is well known [2] that in order for such a test to have error probabilities of at most α 0 and α, the parameters µ 0, σ0, 2 µ and σ 2 should be such that q α σ + q α0 σ 0 = µ µ 0. Now, using Proposition 2 and Proposition 3, we obtain the following equation that determines the amount of data needed by the distinguisher: N = 2 n+0.5 λ q α 2 (q α0 + q α ). (6) 0

4.2 How to recover the key with key difference invariant bias Here, we describe a generic key recovery attack approach that can be applied to block ciphers for which a key difference invariant bias property for r rounds has been identified. This procedure is described in Algorithm. We will feed this algorithm with the related key differential paths that are going to be used for the attack. Other entries to the algorithm will be the number of rounds of the distinguisher r, the number of rounds r top that we are going to append at the top of the distinguisher and the number of rounds r bot that we are going to add at the bottom of the distinguisher. In Algorithm, V [x] and V [x ] are the counters containing the number of times the partial state values x and x (values corresponding to non-zero mask of linear approximations) occur for N plaintext-ciphertext pairs under the key pair. Algorithm Generic Attack Procedure Require: A set of linear approximations (a, b) and master key difference δ = κ κ with the key difference invariant bias property holding. : for all related-key differential paths with a difference δ on the master-key do 2: Collect N plaintext-ciphertext pairs (P, C) under a key κ. 3: Collect N plaintext-ciphertext pairs (P, C ) under κ = κ δ. 4: Partially encrypt r top rounds and partially decrypt r bot rounds, obtain partial state values x and x covered by the input/output masks of (a, b) and compute V [x] and V [x ] (number of times these partial state values occur). 5: Allocate a counter s. 6: for all linear approximations (a, b) do 7: Allocate counters S and S and set them to zero. 8: for all values of x and x do 9: if the linear approximation holds then 0: Add V [x] and V [x ] to S and S, respectively. : end if 2: end for [ ( 3: Compute s = s + S ) ( )] N 2 S 2. N 2 4: end for 5: if s τ then 6: The guessed subkey is a possible subkey value. 7: Check exhaustively the remaining keys against several plaintext-ciphertext pairs. 8: end if 9: end for 20: return encryption key. 5 Attack on 24-round LBlock LBlock is a lightweight block cipher presented at ACNS 20 by Wu and Zhang [39]. It uses 64-bit block and 80-bit key and is based on a modified 32-round eistel structure. Its description is provided in the full version of this paper [2].

5. Previous cryptanalysis Despite its recent proposal, LBlock has already been extensively analyzed. or example, impossible differential attacks have been mounted in the single-key model [6, 2, 39] as well as attacks in the related-key model [26]. A relatedkey truncated differential attack on 22-round LBlock was given in [22]. Some other results concern integral cryptanalysis [20, 33, 34, 39]. A zero-correlation linear attack was equally mounted against 22 rounds of LBlock [36]. inally, biclique attacks [7, 40] provide only a small gain against exhaustive search. So the currently best non-exhaustive attacks against LBlock can break at most 22 rounds. In this paper, we propose an attack on 24 rounds of LBlock. Our results are summarized and compared to previous cryptanalysis in Table. Table. Summary of attacks on LBlock Model Attack #Rounds #keys Data per key Time Memory Ref. SK Imp. Diff 20 2 63 CP 2 72.7 2 68 [39] Imp. Diff 2 2 62.5 CP 2 73.7 2 55.5 [2] Imp. Diff 2 2 63 CP 2 69.5 2 75 [6] Imp. Diff 22 2 58 CP 2 79.28 2 76 [6] Integral 20 2 63.7 CP 2 63.7 N/A [39] Integral 20 2 63.6 CP 2 39.6 2 35 [33] Integral 22 2 6.6 CP 2 7.2 N/A [20] Integral 2 2 6.6 CP 2 54. 2 5.58 [34] Integral 22 2 6 CP 2 70 2 63 [34] Zero-Correlation 22 2 64 KP 2 70.54 2 64 [36] Zero-Correlation 22 2 62. KP 2 7.27 2 64 [36] Zero-Correlation 22 2 60 KP 2 79 2 64 [36] RK Imp. Diff 22 8 2 47 RKCP 2 70 N/A [26] Differential 22 2 2 63. RKCP 2 67 N/A [22] Key Diff Inv Bias 24 32 2 62.29 RKKP 2 74.59 2 6 Here Key Diff Inv Bias 24 32 2 62.95 RKKP 2 70.67 2 6 Here 5.2 Linear approximations with key difference invariant bias for LBlock We start by presenting the linear approximations with key difference invariant bias under two keys related by a difference on a single nibble of the master key. These linear approximations depicted in igure 4, hold for 6 rounds (from round 5 to round 20) under the related-key differential paths depicted in the full version of this paper [2]. The input mask of the 5-th round is (0000α00000000000) and the output mask of the 20-th round is (000000000β000000), α 0, β 0. There are in total (2 4 ) (2 4 ) 2 7.8 such linear approximations. We can see from igure 4 that the relations Γ r K r = 0, for 5 r 20 hold for all the related-key differential paths listed in the full version of this paper [2]. Therefore Condition is satisfied, so the linear approximations in igure 4 have a key difference invariant bias under the related-key differential paths listed in the full version of this paper [2]. 2

0000α000 Input Mask 00000000 0000000 K5 S7 00000000 Γ5= 00000000 ΔK5= 000000 00000000 K6 0000000 S7 Γ6= 0000000 ΔK6= 00000000 0000000 K7 0000000 Γ7= 0000000 ΔK7= 00000000 0000000 K8 000000 S7 Γ8= 000000 ΔK8= 000000 S7 K3 S7 Γ3= ΔK3= 00000000 K4 0 S7 Γ4= 0 ΔK4= 0000000 0 K5 000 S7 Γ5= 000 ΔK5= 00000000 000 K6 00000 S7 Γ6= 00000 ΔK6= 0000000 000000 K9 00000 Γ9= 00000 ΔK9= 00000000 00000 K0 000 S7 Γ0= 000 ΔK0= 00000000 S7 00000 K7 000000 S7 Γ7= 000000 ΔK7= 00000000 000000 K8 0000000 Γ8= 0000000 ΔK8= 00000000 S7 000 K 0 S7 Γ= 0 ΔK= 0000000 0 K2 S7 Γ2= ΔK2= 00000000 0000000 K9 0000000 S7 Γ9= 0000000 ΔK9= 0000000 0000000 K20 00000000 S7 Γ20= 00000000 ΔK20= 00000000 00000000 0000000 00000000 Output Mask 0β000000 Γ r, 5 r 20: input mask value for the S-boxes in round r. K r, 5 r 20: the subkey difference in round r. In masks, 0, and : zero, nonzero and arbitrary mask for a nibble, resp. In differences, 0, and : zero, nonzero and arbitrary difference for a nibble, resp. ig. 4. 6-round linear approximations with key difference invariant bias for LBlock 3

The related-key differential paths that we used for our attack are presented in the full version of this paper [2]. 5.3 Key recovery for 24-round LBlock The 6-round linear approximations with key difference invariant bias that we used for our attack start before round 5 and end after round 20. The initial four rounds, round to round 4, are added before the linear approximations and the final four rounds, round 2 to round 24, are appended after the linear approximations. The details of this stage, and the nibbles to be computed in the initial and the final four rounds are shown in the full version of this paper [2]. or this attack, r = 6, r top = 4 and r bot = 4. These elements will be input to Algorithm. Attack procedure for 24-round LBlock. The attack for LBlock will follow the attack procedure described in Algorithm. or this reason the Steps 2 and 3 of Algorithm do not have to be executed for every path of Step. The Step 4 of Algorithm for LBlock is composed itself of 4 consecutive steps. The details of Step 4 are presented in the full version of this paper [2]. After proceeding from Step 5 to Step 5, we obtain the counter s containing the χ 2 statistics for the subkey guess. The right value of guessed 53-bit subkey is likely to be among the candidates with the statistic s lower than or equal to the threshold τ = λ N q 2 α 0 + λ 2N. All cipher keys it is compatible with are tested exhaustively against a maximum of 2 plaintext-ciphertext pairs. Complexity estimation. We start by evaluating the complexity of Step 4. rom Step 4. to Step 4.4, the time complexity is T = N 2 4 2 + 2 60 2 8 2 + 256 22 2+252 23 2+248 27 2+244 22 2+240 225 2+236 229 2+232 233 2+ 2 28 237 2+224 24 2+220 245 2+26 249 2+22 253 2 = N 2 5 +2 2 69 + 2 66. We will compute N by using Equation (6), after choosing the values of α 0 and α. Here, the number of linear approximations is λ = 2 7.8 and n = 64. Different choices of α 0 and α will provide a time-complexity trade-off. We start by choosing some concrete values for α 0 and α that lead to an optimized time complexity. By setting α 0 = 2 2.7 and α = 2 8.5, we have q α0.02 and q α 2.77. In this way N 2 62.95 (Note that the same N (P, C) pairs or N (P, C ) pairs can be reused for different related-key differential paths under the condition that κ 4 7 remains the same.) and the threshold value gets τ 2 55.02. Then, T 2 70.95 times of 8 round encryption which is equivalent to 2 63.37 times of 24-round encryptions. Note that the time complexity of the procedure described in Steps 6 4 is negligible. Under each related-key differential path, the value of κ 4 7 is already known, so the time complexity of Steps 6-9 is about 2 76 2 8.5 = 2 67.5 times of 24-round encryption. Therefore, the total complexity from Step 2 to Step 8 is about 2 67.58 encryptions. After proceeding from Step 2 to Step 8, if we can not succeed, this means that the value of the right key does not belong to the values corresponding to the related-key differential path tested. We can then use another related-key differential path 4

to proceed the above attack. All possible values of the master key bits κ 4 2 are covered by the related-key differential paths, so we could always find the right key where in the worst case, all the related-key differential paths have to be tested. So the expected time complexity of our attack on 24-round LBlock is about 2 67.58 [+( 5 6 )+ +( 6 )] 270.67 24-round encryptions. The data complexity is 2 62.95 known plaintexts under each master key, while 2 60 2 = 2 6 bytes of memory are required to store the counters. Another possible choice of α 0 and α can lead to a different time-data complexity trade-off. or example, if we set α 0 = 2 2.7 and α = 2 4.5, then q α0.0 and q α.70, we get N 2 62.29. or these parameters the expected time complexity is about 2 74.59 encryptions and the expected data complexity is 2 62.29 known plaintexts for each master key. The memory requirements are the same as in the previous attack. Other possible time-data trade-offs with β 0 = 2 2.7 for the attack on LBlock can be visualized in igure 6. 6 Attack on 27-round TWINE-28 TWINE is a lightweight block cipher proposed by Suzaki, Minematsu, Morioka and Kobayashi in [37]. Its structure is based on a modified Type-2 generalized eistel scheme. The cipher s description is given in the full version of this paper. 6. Previous cryptanalysis In the original proposal of TWINE [37], the authors analyze the resistance of TWINE against various types of attacks, such as impossible differential and saturation attacks. The best analysis in this proposal is an impossible differential attack against 23 rounds of TWINE-80 and against 24 rounds of TWINE-28. Moreover, biclique attacks have been mounted in [7] for both full-round versions of TWINE, but the time complexity of these attacks is only marginally lower than exhaustive search. 6.2 Linear approximations with key difference invariant bias for TWINE-28 We present 7-round (from round 6 to round 22) linear approximations with key difference invariant bias under related-key differential paths for TWINE-28 in igure 5. In our attack, the input mask of the 6-th round is 00000000000α000 and the output mask of the 22-th round is 0000000β000000000, α, β 0. Thus, there are 5 5 2 7.8 such linear approximations, exactly as in the case of LBlock. We start by describing the related-key truncated differential path that we use in our attack. This differential path was found by considering only differences in only one nibble of the master key and by searching exhaustively over all such configurations. This path is described in the full version of this paper [2]. More precisely, we consider a difference equal to in the 22nd nibble of the master key. This 5

differential path covers all the possible key values and is sufficient to recover the right key value. rom igure 5, we can see that Γ r K r = 0, 6 r 22 (where K r and K r denote the subkey value and the subkey difference for the round r respectively) and thus Condition is satisfied. 6.3 Key recovery for 27-round TWINE-28 We utilize the 7-round distinguisher in igure 5 to attack 27 rounds of TWINE- 28. The initial five rounds from round to round 5 are added before the distinguisher and the final five rounds from round 23 to round 27 are appended after the distinguisher, as shown in the full version of this paper. In such a way, the first 27 rounds of TWINE-28 are covered. The attack is proceeded by following Algorithm. The parameters are r = 7, r top = 5, r bot = 5, see the full version of this paper. After proceeding from Step 5 to Step 5, we obtain the counter s containing the χ 2 statistics for the subkey guess. The right value of guessed 96-bit subkey is likely to be among the candidates with the statistic s lower than or equal to the threshold τ = λ N q 2 α 0 + λ 2N. All cipher keys it is compatible with are tested exhaustively against a maximum of 2 plaintext-ciphertext pairs. Complexity estimation. We start by evaluating the complexity T of Steps 4.-4.7. T = N 2 20 2+N 2 32 5 2+N 240 5 2+260 244 2 5+256 248 2 5+ 252 252 2 5+248 256 2 5+244 260 2 5+240 264 2 5+236 268 2 5+236 272 2 5+232 276 2 5+228 280 2 5+224 284 2 5+220 288 2 5+26 292 2 5+ 2 2 2 96 2 5 = N 2 20 2+N 2 32 5 2+N 2 40 5 2+7 2 04 2 5+7 2 08 2 5. To compute N, we will use Equation (6). Here, the number of linear approximations is λ = 2 7.8 and n = 64. Therefore N will be computed after choosing the values of α 0 and α. Different choices of these values will provide a data-time trade-off. We start by choosing some concrete values for α 0 and α that lead to an optimized time complexity. Consider for example α 0 = 2 2.7 and α = 2 8.5. Then q α0.02 and q α 2.77. By replacing these values to Equation (6), we obtain N 2 62.95. The threshold value gets τ = λ N q 2 α 0 + λ 2N 2 55.02. Thus T 2 5.8 times of /8 encryption, which is equivalent to 2 08.05 times of 27-round encryption. The complexity of computing the counters S and S is negligible. The complexity of the last step is 2 28 2 8.5 = 2 9.5 times of 27-round encryption. Thus the total time complexity of the attack is about 2 9.5 27-round TWINE-28 encryptions. The data complexity is N 2 62.95 known plaintexts per key and the memory requirements are 2 6 bytes to store the counters. In the same way, if we want to optimize the data complexity, we choose α 0 = 2 2.7 and α = 2 4.5. Then q α0.02 and q α =.70. Equation (6) gives now N = 2 62.29 and the threshold is 2 54.38. The time complexity of the attack is 2 23.5 and the data complexity is N = 2 62.29 known plaintexts per key. igure 7 depicts different possible data-time trade-offs with β 0 = 2 2.7. 6

Γ6 K6 Γ7 K7 Γ8 K8 Γ9 K9 Γ0 K0 Γ K Γ2 K2 Γ3 K3 Γ4 K4 Γ5 K5 Γ6 K6 Γ7 K7 Γ8 K8 Γ9 K9 Γ20 K20 Γ2 K2 Γ22 K22 Vectors Γ r, 6 r 22: input mask value of S-box. Green nibbles: nibbles with nonzero difference in the subkeys. Blue nibbles: nibbles w/nonzero mask Yellow nibbles: nibbles w/undetermined mask. White nibbles: nibbles w/zero mask or 0 subkey difference. ig. 5. 7-round linear approximations for key difference invariant bias for TWINE-28 7

63 63 log 2 (Data Complexity) 62.8 62.6 62.4 log 2 (Data Complexity) 62.8 62.6 62.4 72 74 log 2 (Time Complexity) ig. 6. Data-time trade-off for the attack on 24-round LBlock 20 22 log 2 (Time Complexity) ig. 7. Data-time trade-off for the attack on 27-round TWINE-28 7 Conclusions In this paper, we reveal the fundamental property of key difference invariant bias in key-alternating block ciphers. We show how to identify this property efficiently. We propose a statistical distinguisher for the property and demonstrate the property for 5 rounds of AES. As an illustration, using our novel cryptanalytic technique, under related keys, we attack more rounds of LBlock and TWINE than the best previous cryptanalysis. Acknowledgements. This work was partially supported by the Research und KU Leuven, OT/3/07, 973 program (No. 203CB834205), NSC Projects (No. 63303 and No. 6070244), as well as Interdisciplinary Research oundation of Shandong University (No.202JC08). References. M. A. Abdelraheem, M. Agren, P. Beelen, G. Leander. On the Distribution of Linear Biases: Three Instructive Examples. CRYPTO 202, LNCS, vol. 747, pp. 50 67, Springer-Verlag, 202. 2. A. Bogdanov, C. Boura, V. Rijmen, M. Wang, L. Wen, J. Zhao. Key Difference Invariant Bias in Block Ciphers. IACR Eprint report, 203. 3. A. Bogdanov, V. Rijmen. Linear Hulls with Correlation Zero and Linear Cryptanalysis of Block Ciphers. Accepted to Designs, Codes and Cryptography, in press, Springer-Verlag, 202. 4. A. Bogdanov, M. Wang. Zero Correlation Linear Cryptanalysis with Reduced Data Complexity. SE 202, LNCS, vol. 7549, pp. 29 48, Springer-Verlag, 202. 5. A. Bogdanov, G. Leander, K. Nyberg, M. Wang. Integral and Multidimensional Linear Distinguishers with Correlation Zero. ASIACRYPT 202, LNCS, vol. 7658, pp. 244 26, Springer-Verlag, 202. 6. J. Y. Cho. Linear Cryptanalysis of Reduced-Round PRESENT. CT-RSA 200, LNCS, vol. 5985, pp. 302 37, Springer-Verlag, 200. 8

7. B. Collard,.-X. Standaert. Experimenting Linear Cryptanalysis. Advanced Linear Cryptanalysis of Block and Stream Ciphers, P. Junod, A. Canteaut (eds.), ISO Press, 20. 8. J. Daemen, R. Govaerts, J. Vandewalle. Correlation Matrices. SE 994, LNCS, vol. 008, pp. 275 285, Springer-Verlag, 995. 9. J. Daemen, V. Rijmen. The Design of Rijndael: AES - The Advanced Encryption Standard. Springer-Verlag, ISBN 3-540-42580-2, 2002. 0. J. Daemen, V. Rijmen. Probability Distributions of Correlations and Differentials in Block Ciphers. Journal of Mathematical Cryptology (3), pp. 22 242, 2007.. J. Daemen, V. Rijmen. Probability Distributions of Correlation and Differentials in Block Ciphers. Tech. Rep. 22, IACR eprint Report 2005/22 (2005), http://eprint.iacr.org/2005/22. 2. W. eller. An Introduction to Probability Theory and Its Applications, 97. 3. M. Hermelin, J.Y. Cho, K. Nyberg. Multidimensional Extension of Matsui s Algorithm 2. SE 2009, LNCS, vol. 5665, pp. 209 227, Springer-Verlag, 2009. 4. P. Junod. On the Complexity of Matsui s Attack. SAC 200, LNCS, vol. 2259, pp. 99 2, Springer-Verlag, 200. 5. B. Kaliski, M. Robshaw, Linear Cryptanalysis Using Multiple Approximations. CRYPTO 994, LNCS, vol. 839, pp. 26 39, Springer-Verlag, 994. 6.. Karakoç, H. Demirci, A. Harmanci. Impossible Differential Cryptanalysis of Reduced-Round LBlock. WISTP 202, LNCS, vol. 7322, pp. 79 88, Springer- Verlag, 202. 7.. Karakoç, H. Demirci, A. Harmanci. Biclique Cryptanalysis of LBlock and TWINE. Inf. Process. Lett. 3(2), pp. 423 429, 203. 8. L. Keliher, J. Sui. Exact Maximum Expected Differential and Linear Probability for Two-Round Advanced Encryption Standard. IET Information Security (2), pp. 53 57, 2007. 9. J. Kim. Combined Differential, Linear and Related-Key Attacks on Block Ciphers and MAC Algorithms. Ph.D. thesis, K.U.Leuven, 2006. 20. Y. Li. Integral Cryptanalysis on Block Ciphers (in Chinese). [D]. Beijing: Institute of Software, Chinese Academy of Sciences, 202. 2. Y. Liu, D. Gu, Z. Liu, W. Li. Impossible Differential Attacks on Reduced-Round LBlock. ISPEC 202, LNCS, vol. 7232, pp. 97 08, Springer-Verlag, 202. 22. S. Liu, Z. Gong, L. Wang. Improved Related-Key Differential Attacks on Reduced- Round LBlock. ICICS 202, LNCS, vol. 768, pp. 58 69, Springer-Verlag, 202. 23. M. Matsui. Linear Cryptanalysis Method for DES Cipher. EUROCRYPT 993, vol. 765, pp. 386 397, Springer-Verlag, 993. 24. M. Matsui. The irst Experimental Cryptanalysis of the Data Encryption Standard. CRYPTO 994, LNCS, vol. 839, pp., Springer-Verlag, 994. 25. M. Matsui, A. Yamagishi. A New Method for Known Plaintext Attack of EAL Cipher. EUROCRYPT 992, LNCS, vol. 658, pp. 8 9, Springer-Verlag, 993. 26. M. Minier, M. Naya-Plasencia. A Related Key Impossible Differential Attack against 22 Rounds of the Lightweight Block Cipher LBlock. Inf. Process. Lett., 2(6), 624 629, 202. 27. S. Murphy. The Effectiveness of the Linear Hull Effect. J. Mathematical Cryptology 6(2), pp. 37 47, 202. 28. K. Nyberg, R. Hakala. A Key-Recovery Attack on SOBER-28, Symmetric Cryptography Dagstuhl Seminar No. 0702, 2007. 29. K. Nyberg. Linear Approximation of Block Ciphers. EUROCRYPT 994, LNCS, vol. 950, pp. 439 444, Springer-Verlag, 994. 9

30. K. Nyberg. Linear Cryptanalysis Using Multiple Linear Approximations. Early Symmetric Crypto (ESC 200) seminar, Remich, Luxembourg, 20. https://cryptolux.org/mediawiki.esc/images/5/52/esc nyberg.pdf 3. L. O Connor. Properties of Linear Approximation Tables. SE 994, LNCS, vol. 008, pp. 3 36, Springer-Verlag, 995. 32. A. Röck, K. Nyberg. Generalization of Matsui s Algorithm to Linear Hull for Key- Alternating Block Ciphers. Designs, Codes and Cryptography, 66(-3), pp. 75 93, Springer-Verlag, 203. 33. Y. Sasaki, L. Wang. Meet-in-the-Middle Technique for Integral Attacks against eistel Ciphers. SAC 202, LNCS, vol. 7707, pp. 234 25, Springer-Verlag, 203. 34. Y. Sasaki, L. Wang. Comprehensive Study of Integral Analysis on 22-Round LBlock. ICISC 202, LNCS, vol. 7839, pp. 56 69, Springer-Verlag, 203. 35. A.A. Selçuk. On Probability of Success in Linear and Differential Cryptanalysis. Journal of Cryptology, Volume 2(), pp. 3 47, Springer-Verlag, 2008. 36. H. Soleimany, K. Nyberg. Zero-Correlation Linear Cryptanalysis of Reduced-Round LBlock. Accepted to WCC 203. To appear. http://eprint.iacr.org/202/570.pdf, 202. 37. T. Suzaki, K. Minematsu, S. Morioka, E. Kobayashi. TWINE : A Lightweight Block Cipher for Multiple Platforms. SAC 202, LNCS, vol. 7707, pp. 339 354, Springer-Verlag, 202. 38. D. Wagner. The Boomerang Attack. SE 999, LNCS, vol. 636, pp.56 70, Springer-Verlag, 999. 39. W. Wu, L. Zhang. LBlock: A Lightweight Block Cipher. ACNS 20, LNCS, vol. 675, pp. 327 344, Springer-Verlag, 20. 40. X. Yu, Y. Wang, W. Wu, L. Zhang. Security on LBlock against Biclique Cryptanalysis. WISA 202, LNCS, vol. 7690, pp. 4, Springer-Verlag, 202. 20

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback